DOCSLIB.ORG

Analysing the Use of Outdated Javascript Libraries on the Web

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Analysing the Use of Outdated Javascript Libraries on the Web Updated in September 2017: Require valid versions for library detection throughout the paper. The vulnerability analysis already did so and remains identical. Modifications in Tables I, III and IV; Figures 4 and 7; Sections III-B, IV-B, IV-C, IV-F and IV-H. Additionally, highlight Ember’s security practices in Section V. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson and Engin Kirda Northeastern University {toby, 3abdou, arshad, wkr, cbw, ek}@ccs.neu.edu Abstract—Web developers routinely rely on third-party Java- scripts or HTML into vulnerable websites via a crafted tag. As Script libraries such as jQuery to enhance the functionality of a result, it is of the utmost importance for websites to manage their sites. However, if not properly maintained, such dependen- library dependencies and, in particular, to update vulnerable cies can create attack vectors allowing a site to be compromised. libraries in a timely fashion. In this paper, we conduct the first comprehensive study of To date, security research has addressed a wide range of client-side JavaScript library usage and the resulting security client-side security issues in websites, including validation [30] implications across the Web. Using data from over 133 k websites, we show that 37 % of them include at least one library with a and XSS ([17], [36]), cross-site request forgery [4], and session known vulnerability; the time lag behind the newest release of fixation [34]. However, the use of vulnerable JavaScript libraries a library is measured in the order of years. In order to better by websites has not received nearly as much attention. In understand why websites use so many vulnerable or outdated 2014, a series of blog posts presented cursory measurements libraries, we track causal inclusion relationships and quantify highlighting that major websites included known vulnerable different scenarios. We observe sites including libraries in ad hoc libraries ([25], [26], [24]). These findings echo warnings from and often transitive ways, which can lead to different versions of other software ecosystems like Android [3], Java [32] and the same library being loaded into the same document at the same Windows [21], which show that vulnerable libraries continue time. Furthermore, we find that libraries included transitively, or to exist in the wild even when they are widely known to via ad and tracking code, are more likely to be vulnerable. This contain severe vulnerabilities. Given that JavaScript dependency demonstrates that not only website administrators, but also the dynamic architecture and developers of third-party services are management is relatively primitive and corresponding tools to blame for the Web’s poor state of library management. are not as well-established as in more mature ecosystems, these findings suggest that security issues caused by outdated The results of our work underline the need for more thorough JavaScript libraries on the Web may be widespread. approaches to dependency management, code maintenance and third-party code inclusion on the Web. In this paper, we conduct the first comprehensive study on the security implications of JavaScript library usage in websites. We seek to answer the following questions: I. INTRODUCTION The Web is arguably the most popular contemporary • Where do websites load JavaScript libraries from (i.e., programming platform. Although websites are relatively easy to first or third-party domains), and how frequently are create, they are often composed of heterogeneous components these domains used? such as database backends, content generation engines, multiple • How current are the libraries that websites are using, scripting languages and client-side code, and they need to deal and do they contain known vulnerabilities? with unsanitised inputs encoded in several different formats. • Are web developers intentionally including JavaScript Hence, it is no surprise that it is challenging to secure websites libraries, or are these dependencies caused by adver- because of the large attack surface they expose. tising and tracking code? • Are existing remediation strategies effective or widely One specific, significant attack surface are vulnerabilities used? related to client-side JavaScript, such as cross-site scripting (XSS) and advanced phishing. Crucially, modern websites often • Are there additional technical, methodological, or include popular third-party JavaScript libraries, and thus are at organisational changes that can improve the security risk of inheriting vulnerabilities contained in these libraries. For of websites with respect to JavaScript library usage? example, a 2013 XSS vulnerability in the jQuery [13] library Note that the focus of this paper is not measuring the security before version 1.6.3 allowed remote attackers to inject arbitrary state of specific JavaScript libraries. Rather, our goal (and primary contribution) is to empirically examine whether website Permission to freely reproduce all or part of this paper for noncommercial operators keep their libraries current and react to publicly purposes is granted provided that copies bear this notice and the full citation disclosed vulnerabilities. on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author Answering these questions necessitated solving three funda- (for reproduction of an entire paper only), and the author’s employer if the mental methodological challenges. First, there is no centralised paper was prepared within the scope of employment. repository of metadata pertaining to JavaScript libraries and NDSS ’17, 26 February - 1 March 2017, San Diego, CA, USA Copyright 2017 Internet Society, ISBN 1-1891562-46-0 their versions, release dates, and known vulnerabilities. To https://doi.org/10.14722/ndss.2017.23414 address this, we manually constructed a catalogue containing all “release” versions of 72 of the most popular open-source • We present results on the origins of vulnerable libraries, including detailed vulnerability information on a JavaScript library inclusions, which allows us to subset of 11 libraries. Second, web developers often modify contrast the security posture of website developers with JavaScript libraries by reformatting, restructuring or appending third-party modules such as WordPress, advertising or code, which makes it difficult to detect library usage in the tracking networks, and social media widgets. wild. We solve this problem through a combination of static • We show that a large number of websites include and dynamic analysis techniques. Third, to understand why JavaScript libraries in unexpected ways, such as mul- specific libraries are loaded by a given site, we need to track all tiple inclusions of different library versions into the of the causal relationships between page elements (e.g., script same document, which may impact their attack surface. s1 in frame f1 injects script s2 into frame f2). To solve this, • We find existing remediation strategies to be ineffective we developed a customised version of Chromium that records at mitigating the threats posed by vulnerable JavaScript detailed causality trees of page element creation relationships. libraries. For example, less than 3 % of websites could Using these tools, we crawled the Alexa Top 75 k websites fix all their vulnerable libraries by applying only patch- and a random sample of 75 k websites drawn from a snapshot level updates. Similarly, only 2 % of websites use the of the .com zone in May 2016. These two crawls allow us to version-aliasing services offered by JavaScript CDNs. compare and contrast JavaScript library usage between popular and unpopular websites. In total, we observed 11,141,726 inline II. BACKGROUND scripts and script file inclusions; 86.6 % of Alexa sites and JavaScript has allowed web developers to build highly inter- 65.4 % of .com sites used at least one well-known JavaScript active websites with sophisticated functionality. For example, library, with jQuery being the most popular by a large majority. communication and production-related online services such as Analysis of our dataset reveals many concerning facts Gmail and Office 365 make heavy use of JavaScript to create about JavaScript library management on today’s Web. More web-based applications comparable to their more traditional than a third of the websites in our Alexa crawl include at desktop counterparts. In this paper, we focus exclusively on least one vulnerable library version, and nearly 10 % include aspects of client-side JavaScript executed in a browser, not the two or more different vulnerable versions. From a per-library recent trend of using JavaScript for server-side programming. perspective, at least 36.7 % of jQuery, 40.1 % of Angular, 86.6 % of Handlebars, and 87.3 % of YUI inclusions use a vulnerable A. JavaScript Libraries version. Alarmingly, many sites continue to rely on libraries like YUI and SWFObject that are no longer maintained. In fact, In many cases, to make their lives easier, web developers the median website in our dataset is using a library version rely on functionality that is bundled in libraries. For example, 1,177 days older than the newest release, which explains why so jQuery [13] is a popular JavaScript library that makes HTML many vulnerable libraries tend to linger on the Web. Advertising, document traversal and manipulation,
Load more

Recommended publications
  • Machine Learning in the Browser
    Machine Learning in the Browser The Harvard community has made this article openly available. Please share how this access benefits you. Your story matters Citable link http://nrs.harvard.edu/urn-3:HUL.InstRepos:38811507 Terms of Use This article was downloaded from Harvard University’s DASH repository, and is made available under the terms and conditions applicable to Other Posted Material, as set forth at http:// nrs.harvard.edu/urn-3:HUL.InstRepos:dash.current.terms-of- use#LAA Machine Learning in the Browser a thesis presented by Tomas Reimers to The Department of Computer Science in partial fulfillment of the requirements for the degree of Bachelor of Arts in the subject of Computer Science Harvard University Cambridge, Massachusetts March 2017 Contents 1 Introduction 3 1.1 Background . .3 1.2 Motivation . .4 1.2.1 Privacy . .4 1.2.2 Unavailable Server . .4 1.2.3 Simple, Self-Contained Demos . .5 1.3 Challenges . .5 1.3.1 Performance . .5 1.3.2 Poor Generality . .7 1.3.3 Manual Implementation in JavaScript . .7 2 The TensorFlow Architecture 7 2.1 TensorFlow's API . .7 2.2 TensorFlow's Implementation . .9 2.3 Portability . .9 3 Compiling TensorFlow into JavaScript 10 3.1 Motivation to Compile . 10 3.2 Background on Emscripten . 10 3.2.1 Build Process . 12 3.2.2 Dependencies . 12 3.2.3 Bitness Assumptions . 13 3.2.4 Concurrency Model . 13 3.3 Experiences . 14 4 Results 15 4.1 Benchmarks . 15 4.2 Library Size . 16 4.3 WebAssembly . 17 5 Developer Experience 17 5.1 Universal Graph Runner .
    [Show full text]
  • THE FUTURE of SCREENS from James Stanton a Little Bit About Me
    THE FUTURE OF SCREENS From james stanton A little bit about me. Hi I am James (Mckenzie) Stanton Thinker / Designer / Engineer / Director / Executive / Artist / Human / Practitioner / Gardner / Builder / and much more... Born in Essex, United Kingdom and survived a few hair raising moments and learnt digital from the ground up. Ok enough of the pleasantries I have been working in the design field since 1999 from the Falmouth School of Art and onwards to the RCA, and many companies. Ok. less about me and more about what I have seen… Today we are going to cover - SCREENS CONCEPTS - DIGITAL TRANSFORMATION - WHY ASSETS LIBRARIES - CODE LIBRARIES - COST EFFECTIVE SOLUTION FOR IMPLEMENTATION I know, I know, I know. That's all good and well, but what does this all mean to a company like mine? We are about to see a massive change in consumer behavior so let's get ready. DIGITAL TRANSFORMATION AS A USP Getting this correct will change your company forever. DIGITAL TRANSFORMATION USP-01 Digital transformation (DT) – the use of technology to radically improve performance or reach of enterprises – is becoming a hot topic for companies across the globe. VERY DIGITAL CHANGING NOT VERY DIGITAL DIGITAL TRANSFORMATION USP-02 Companies face common pressures from customers, employees and competitors to begin or speed up their digital transformation. However they are transforming at different paces with different results. VERY DIGITAL CHANGING NOT VERY DIGITAL DIGITAL TRANSFORMATION USP-03 Successful digital transformation comes not from implementing new technologies but from transforming your organisation to take advantage of the possibilities that new technologies provide.
    [Show full text]
  • The Jungle Through Javascript Frameworks
    The jungle through Javascript frameworks. Jonatan Karlsson Henrik Ölund Web Programming Web Programming 2013, BTH, Blekinge institute of 2013, BTH, Blekinge institute of technology technology Advanced topic in Web development, PA1426 Advanced topic in Web development, PA1426 HT15 HT15 Karlskrona, Sweden Karlskrona, Sweden [email protected] [email protected] PA1426 Revision C, Advanced topic in Web development 2015-11-05 Abstract In this article we have planned to dive into Javascripts world where new framework comes out “every day”. We will take the reader into a world where nothing are for granted and everything is a non-standard. In the current situation, there is a [3] tremendous amount of Javascript frameworks ​ and that makes it difficult for a ​ layman to choose the right framework, for the right task and this is something we will try figure out and explain to the reader. Keywords: Javascript, Framework, MV*, Client-side, React, Mithril, Backbone.js, ​ Ember.js 1 PA1426 Revision C, Advanced topic in Web development 2015-11-05 Abstract 1. Introduction 1.1 Background 1.2 Intention 1.3 Method First part Does the framework follow the MV*-pattern? Is the framework popular on google? Have the framework risen in popularity since 2013? Does the framework have any corporation that backs them? Second part 2. Result 2.1 Which frameworks did we select? 2.2 Not included 2.3 React What philosophies have pushed this framework forward? What kind of problem does this framework solve? Which famous products has been created with this framework?
    [Show full text]
  • Glen R. Goodwin [email protected] Laurel, Maryland
    Glen R. Goodwin [email protected] Laurel, Maryland https://arei.net Experience August 2019 to Director of Software Engineering / Lead Engineer, Whitebox Technology, Present Baltimore, Maryland • Lead day to day operations of entire Engineering Directorate including growing team from 5 engineers to 18 engineers. • Designed and implemented entire Engineering department’s communication and process and company culture of Software excellence. • Mentored entire team and individual developers in communication, architecture, engineering best practices, and software quality. • Served as Lead Engineer for Systems Team, responsible for implementing innovative systems to deliver faster, more efficently, and at scale • Served as Lead Experience Engineer fostering and implementing consistent cross product common solutions to better enhance the company brand and the end user expereience. • Designed and delivered technical solutions across the entire company on everything from visualizations to automated conveyance systems. July 2018 to Founder, The Awesome Engineering Company, Laurel, Maryland August 2019 • Started The Awesome Engineering Company to productize personally developed open source solutions. • Developed open source products for NodeJS and modern browsers. October 2013 to Distinguished Software Engineer & Chief Architect for CyberSecurity, SAS July 2018 Institute inc, Ellicott City, Maryland • Chief Architect for the SAS Cybersecurity product line overseeing technical (Converted from VSTI vision from inception to release. employee to parent SAS company in October 2013) • Served as Engineering Lead for User Interface, Services (API), Persistence (ElasticSearch), and Enrichment teams structured around technical layers. • Acted as Lead Researcher for new implementations and technology experiments advising senior management on feasibility and direction • Designed and implemented backend and frontend technologies for the entire product from conception to delivery in multiple languages/frameworks.
    [Show full text]
  • Create Mobile Apps with HTML5, Javascript and Visual Studio
    Create mobile apps with HTML5, JavaScript and Visual Studio DevExtreme Mobile is a single page application (SPA) framework for your next Windows Phone, iOS and Android application, ready for online publication or packaged as a store-ready native app using Apache Cordova (PhoneGap). With DevExtreme, you can target today’s most popular mobile devices with a single codebase and create interactive solutions that will amaze. Get started today… ・ Leverage your existing Visual Studio expertise. ・ Build a real app, not just a web page. ・ Deliver a native UI and experience on all supported devices. ・ Use over 30 built-in touch optimized widgets. Learn more and download your free trial devexpress.com/mobile All trademarks or registered trademarks are property of their respective owners. Untitled-4 1 10/2/13 11:58 AM APPLICATIONS & DEVELOPMENT SPECIAL GOVERNMENT ISSUE INSIDE Choose a Cloud Network for Government-Compliant magazine Applications Geo-Visualization of SPECIAL GOVERNMENT ISSUE & DEVELOPMENT SPECIAL GOVERNMENT ISSUE APPLICATIONS Government Data Sources Harness Open Data with CKAN, OData and Windows Azure Engage Communities with Open311 THE DIGITAL GOVERNMENT ISSUE Inside the tools, technologies and APIs that are changing the way government interacts with citizens. PLUS SPECIAL GOVERNMENT ISSUE APPLICATIONS & DEVELOPMENT SPECIAL GOVERNMENT ISSUE & DEVELOPMENT SPECIAL GOVERNMENT ISSUE APPLICATIONS Enhance Services with Windows Phone 8 Wallet and NFC Leverage Web Assets as Data Sources for Apps APPLICATIONS & DEVELOPMENT SPECIAL GOVERNMENT ISSUE ISSUE GOVERNMENT SPECIAL DEVELOPMENT & APPLICATIONS Untitled-1 1 10/4/13 11:40 AM CONTENTS OCTOBER 2013/SPECIAL GOVERNMENT ISSUE OCTOBER 2013/SPECIAL GOVERNMENT ISSUE magazine FEATURES MOHAMMAD AL-SABT Editorial Director/[email protected] Geo-Visualization of Government KENT SHARKEY Site Manager Data Sources MICHAEL DESMOND Editor in Chief/[email protected] Malcolm Hyson ..........................................
    [Show full text]
  • Extracting Taint Specifications for Javascript Libraries
    Extracting Taint Specifications for JavaScript Libraries Cristian-Alexandru Staicu Martin Toldam Torp Max Schäfer TU Darmstadt Aarhus University GitHub [email protected] [email protected] [email protected] Anders Møller Michael Pradel Aarhus University University of Stuttgart [email protected] [email protected] ABSTRACT ACM Reference Format: Modern JavaScript applications extensively depend on third-party Cristian-Alexandru Staicu, Martin Toldam Torp, Max Schäfer, Anders Møller, and Michael Pradel. 2020. Extracting Taint Specifications for JavaScript libraries. Especially for the Node.js platform, vulnerabilities can Libraries. In 42nd International Conference on Software Engineering (ICSE have severe consequences to the security of applications, resulting ’20), May 23–29, 2020, Seoul, Republic of Korea. ACM, New York, NY, USA, in, e.g., cross-site scripting and command injection attacks. Existing 12 pages. https://doi.org/10.1145/3377811.3380390 static analysis tools that have been developed to automatically detect such issues are either too coarse-grained, looking only at 1 INTRODUCTION package dependency structure while ignoring dataflow, or rely on JavaScript is powering a wide variety of web applications, both manually written taint specifications for the most popular libraries client-side and server-side. Many of these applications are security- to ensure analysis scalability. critical, such as PayPal, Netflix, or Uber, which handle massive In this work, we propose a technique for automatically extract- amounts of privacy-sensitive user data and other assets. An impor- ing taint specifications for JavaScript libraries, based on a dynamic tant characteristic of modern JavaScript-based applications is the analysis that leverages the existing test suites of the libraries and extensive use of third-party libraries.
    [Show full text]
  • From GWT to Angular: an Experiment Report on Migrating a Legacy Web
    From GWT to Angular: An Experiment Report on Migrating a Legacy Web Application Benoit Verhaeghe, Anas Shatnawi, Abderrahmane Seriai, Anne Etien, Nicolas Anquetil, Mustapha Derras, Stephane Ducasse To cite this version: Benoit Verhaeghe, Anas Shatnawi, Abderrahmane Seriai, Anne Etien, Nicolas Anquetil, et al.. From GWT to Angular: An Experiment Report on Migrating a Legacy Web Application. IEEE Software, Institute of Electrical and Electronics Engineers, In press, 10.1109/MS.2021.3101249. hal-03313462 HAL Id: hal-03313462 https://hal.archives-ouvertes.fr/hal-03313462 Submitted on 4 Aug 2021 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Department: Head Editor: Name, xxxx@email From GWT to Angular: An Experiment Report on Migrating a Legacy Web Application B. Verhaeghe Berger-Levrault, France Université de Lille, CNRS, Inria, Centrale Lille, UMR 9189 – CRIStAL, France A. Shatnawi Berger-Levrault, France A. Seriai Berger-Levrault, France A. Etien Université de Lille, CNRS, Inria, Centrale Lille, UMR 9189 – CRIStAL, France N. Anquetil Université de Lille, CNRS, Inria, Centrale Lille, UMR 9189 – CRIStAL, France M. Derras Berger-Levrault, France S. Ducasse Université de Lille, CNRS, Inria, Centrale Lille, UMR 9189 – CRIStAL, France Abstract—Berger-Levrault is an international company that developed applications in GWT for more than 10 years.
    [Show full text]
  • Microsoft AJAX Library Essentials Client-Side ASP.NET AJAX 1.0 Explained
    Microsoft AJAX Library Essentials Client-side ASP.NET AJAX 1.0 Explained A practical tutorial to using Microsoft AJAX Library to enhance the user experience of your ASP.NET Web Applications Bogdan Brinzarea Cristian Darie BIRMINGHAM - MUMBAI Microsoft AJAX Library Essentials Client-side ASP.NET AJAX 1.0 Explained Copyright © 2007 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, Packt Publishing, nor its dealers or distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: July 2007 Production Reference: 1230707 Published by Packt Publishing Ltd. 32 Lincoln Road Olton Birmingham, B27 6PA, UK. ISBN 978-1-847190-98-7 www.packtpub.com Cover Image by www.visionwt.com Table of Contents Preface 1 Chapter 1: AJAX and ASP.NET 7 The Big Picture 8 AJAX and Web 2.0 10 Building
    [Show full text]
  • Learning Javascript Design Patterns
    Learning JavaScript Design Patterns Addy Osmani Beijing • Cambridge • Farnham • Köln • Sebastopol • Tokyo Learning JavaScript Design Patterns by Addy Osmani Copyright © 2012 Addy Osmani. All rights reserved. Revision History for the : 2012-05-01 Early release revision 1 See http://oreilly.com/catalog/errata.csp?isbn=9781449331818 for release details. ISBN: 978-1-449-33181-8 1335906805 Table of Contents Preface ..................................................................... ix 1. Introduction ........................................................... 1 2. What is a Pattern? ...................................................... 3 We already use patterns everyday 4 3. 'Pattern'-ity Testing, Proto-Patterns & The Rule Of Three ...................... 7 4. The Structure Of A Design Pattern ......................................... 9 5. Writing Design Patterns ................................................. 11 6. Anti-Patterns ......................................................... 13 7. Categories Of Design Pattern ............................................ 15 Creational Design Patterns 15 Structural Design Patterns 16 Behavioral Design Patterns 16 8. Design Pattern Categorization ........................................... 17 A brief note on classes 17 9. JavaScript Design Patterns .............................................. 21 The Creational Pattern 22 The Constructor Pattern 23 Basic Constructors 23 Constructors With Prototypes 24 The Singleton Pattern 24 The Module Pattern 27 iii Modules 27 Object Literals 27 The Module Pattern
    [Show full text]
  • The Snap Framework: a Web Toolkit for Haskell
    The Functional Web The Snap Framework A Web Toolkit for Haskell Gregory Collins • Google Switzerland Doug Beardsley • Karamaan Group askell is an advanced functional pro- the same inputs, always produce the same out- gramming language. The product of more put. This property means that you almost always H than 20 years of research, it enables rapid decompose a Haskell program into smaller con- development of robust, concise, and fast soft- stituent parts that you can test independently. ware. Haskell supports integration with other Haskell’s ecosystem also includes many power- languages and has loads of built-in concurrency, ful testing and code-coverage tools. parallelism primitives, and rich libraries. With Haskell also comes out of the box with a set its state-of-the-art testing tools and an active of easy-to-use primitives for parallel and con- community, Haskell makes it easier to produce current programming and for performance pro- flexible, maintainable, high-quality software. filing and tuning. Applications built with GHC The most popular Haskell implementation is enjoy solid multicore performance and can han- the Glasgow Haskell Compiler (GHC), a high- dle hundreds of thousands of concurrent net- performance optimizing native-code compiler. work connections. We’ve been delighted to find Here, we look at Snap, a Web-development that Haskell really shines for Web programming. framework for Haskell. Snap combines many other Web-development environments’ best fea- What’s Snap? tures: writing Web code in an expressive high- Snap offers programmers a simple, expressive level language, a rapid development cycle, fast Web programming interface at roughly the same performance for native code, and easy deploy- level of abstraction as Java servlets.
    [Show full text]
  • MASTER THESIS Javascript Frameworks a Qualitative
    MASTER THESIS JavaScript Frameworks A qualitative evaluation and comparison of the dominant factors in Angular and React Abdul Kadir Yorulmaz MSc. in Computer Science & Informatics Supervised by Anders Lassen Department of Computer Science & Informatics June 2, 2020 Abstract The rising number of JavaScript libraries and frameworks that have been developed during the years, gives the experienced and inexperienced practitioners complexity when wanting to commit to a frame- work. Today, a more concrete and analysed evaluation process is lacking for developers in order to make sure a framework fit their needs for the given project’s purpose and size. This thesis explores an evaluation process that can help practitioners determine which framework or library fit their needs for their project, but also choosing the framework that fits best with their experience and preferences when building applications. This study is build on an experiment, where two Todo-list applications were developed via Angular and React. Based on the development process of each application, the framework and library were evaluated via relevant factors that give insights to what to expect from the framework and library in terms of how fast one can learn it, the quality of the documentation, the helpfulness of their communities and the frequency of updates. Through the evaluations, the dominant factors were found for Angular and React, which gave the base for doing the comparative analysis in order to find the differences and similarities between them. By conducting the comparative analysis of the dominant factors within Angular and React, this study gives the indication that Angular gives clear directions when developing and therefore can be well-suited to both experienced developers but also beginners.
    [Show full text]
  • Cross-Platform Mobile Application for the Cothority
    Cross-Platform Mobile Application for the Cothority Vincent Petri & Cedric Maire School of Computer and Communication Sciences Decentralized and Distributed Systems Lab Semester Project January 2018 Responsible Supervisor Prof. Bryan Ford Linus Gasser EPFL / DeDiS EPFL / DeDiS 2 Acknowledgements We would like to express our special thanks to Linus Gasser who gave us the opportunity to do this very interesting project related to the collec- tive authority (Cothority) framework developed by the DeDiS laboratory at EPFL. We would like to thank him for the valuable help he gave us whenever we needed and for the knowledge he provided to us throughout the semester. Secondly, we would also like to thank our parents and friends who helped us through the hard times of finalising the project within the limited time frame. 3 1 Abstract The Cothority2 framework has been developed and maintained by the DeDiS laboratory at EPFL. This project provides a framework for develop- ing, analysing, and deploying decentralised and distributed cryptographic protocols. A set of servers that runs these protocols and communicates among each other is referred to as a collective authority, or cothority, and the individual servers are called cothority servers or conodes. A cothority that executes decentralised protocols could be used for collective signing, threshold signing, or the generation of public-randomness, to name only a few options. The highest level of abstraction can be created by protocols like the collective signature (CoSi) protocol, the random numbers (Rand- Hound) protocol, or the communication (Messaging) protocol used by the conodes to exchange data. Then come the services, which rely on these pro- tocols.
    [Show full text]